CVE-2026-34717

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.2.3

Description OpenProject, a web-based project management software, has an issue where user input is directly embedded into SQL WHERE clauses without proper parameterization. This occurs due to the =n operator in modules/reporting/lib/report/operator.rb:177. This could allow for SQL injection. The issue affects authenticated users and could potentially grant them database access.

Recommendations Update to version 17.2.3 or later.